Republic of the Philippines

NATIONAL PRIVACY COMMISSION

PRIVACY POLICY OFFICE

ADVISORY OPINION NO. 2023-0141

21 June 2023

RE: TRANSFER OF PERSONAL DATA AMONG PERSONAL

INFORMATION CONTROLLERS

Dear

We respectfully provide you with our Advisory Opinion on your query raising several privacy
concerns regarding the transfer of personal data of your customers to a local electric
cooperative.

You inform that your company is a third-party power generation and distribution company
with clientele located in isolated areas in the Philippines. We understand that your company
intends to transfer its power distribution rights to a local electric cooperative in one of your
sites. However, there remain unpaid charges from some of your customers. Thus, you requested
the local electric cooperative to collect the unpaid charges on your company’s behalf, but this
necessitates the disclosure of your list of customers including their addresses and contact details
to the local electric cooperative.

Thus, you ask the following:

1. How can your company disclose customer information to its local partner for
collection payables without violating the DPA or any NPC issuance?

2. Does the transfer of your company’s rights as power distributor free it of its
obligations towards its customers as data subjects?

1Lawful Processing; Contractual Obligation; Legitimate Interest; Accountability.

Ref No.: PRD-23-00190 NPC_DIT_AOT-V1.0, R0.0,05 May 2021

5th Floor, Philippine International Convention Center, Vicente Sotto Avenue, Pasay City, Metro Manila 1308
URL: https://www.privacy.gov.ph Email Add: info@privacy.gov.ph * Tel No. 8234-2228
Personal information; lawful processing of
personal data – contractual obligation;
legitimate interest.

Your company’s intended action of transferring its client list to the new local distributor
qualifies as “processing” under the Data Privacy Act (DPA). 2 On the other hand, the
information in your client list (which consists of your clients’ names, addresses, and contact
details) is classified as personal information under the law. 3 Hence, the processing of your
company’s client list should therefore be supported by the appropriate basis under the DPA.

The collection of unpaid charges from delinquent customers can be considered as lawful
processing of personal information for the purpose of the fulfillment of a contract with the data
subject pursuant to Sec. 12 (b) of the DPA. Your intended processing also finds basis under Sec.
12 (f) of the DPA, since both your company and the local electric cooperative have a legitimate
interest to ensure that all unpaid accounts and charges are fully settled. As such, your company
can provide the local electric cooperative with the list of delinquent customers for proper
collection and payment even without the execution of a Data Sharing Agreement (DSA). As
provided in Section 8 of NPC Circular 2020-03, the execution of a DSA is no longer mandatory,
and the parties may resort to other contractual schemes containing the terms and conditions of
the sharing arrangement. Nevertheless, the execution of a DSA is considered as a best practice
and a demonstration of accountability by the personal information controllers.

Privacy Notice; Data Privacy Principle of

Transparency.

Since the execution of a DSA is not required in this particular case, a privacy notice to your
customers may suffice if there will be no change as to the purpose of the personal data collected.

Nevertheless, your company should still observe the data privacy principle of transparency.
The principle of transparency requires that data subjects must be aware of the nature, purpose,
and extent of the processing of his or her personal data, including the risks and safeguards
involved, the identity of personal information controller, his or her rights as a data subject, and
how these can be exercised. Any information and communication relating to the processing of
personal data should be easy to access and understand, using clear and plain language.4

Applying the foregoing to your concern, the privacy notice must indicate what type of personal
data will be processed, the purpose for processing (e.g., the transfer of distribution rights and
collection of unpaid or pending charges), the Data Subject’s rights, and the channels by which
to exercise it whenever applicable. We also recommend that these notices be sent individually
to the customers concerned for proper dissemination and information.

2 An Act Protecting Individual Personal Information in Information and Communications Systems in the Government and the
Private Sector, Creating for this Purpose a National Privacy Commission, and for Other Purposes [Data Privacy Act of 2012],
Republic Act No. 10173 (2012).
3 Id. §3 (g).
4 Id. §18 (a)

Ref No.: PRD-23-00190 NPC_PPO_PRD_AOT-V1.0,R0.0,05 May 2021

5th Floor, Philippine International Convention Center, Vicente Sotto Avenue, Pasay City, Metro Manila 1308
URL: https://www.privacy.gov.ph/ Email Add: info@privacy.gov.ph * Tel No. 8234-2228
2
Accountability of PICs to data subjects.

On your query as to whether your company is free from liability towards the data subjects by
the transfer of rights to the local cooperative, we refer you to the principle of accountability
under Sec.21 of the DPA’s IRR, to wit:

SEC. 21. Principle of Accountability. – Each personal information controller is responsible

for personal information under its control or custody, including information that have
been transferred to a third party for processing, whether domestically or internationally,
subject to cross-border arrangement and cooperation.

(a) The personal information controller is accountable for complying with the
requirements of this Act and shall use contractual or other reasonable means to provide a
comparable level of protection while the information are being processed by a third party.

(b) The personal information controller shall designate an individual or individuals who
are accountable for the organization’s compliance with this Act. The identity of the
individual(s) so designated shall be made known to any data subject upon request. 5

Hence, your company remains to be a PIC if it retains the personal data of its customers and,
consequently, remains accountable to the latter.

In connection with the foregoing, please note that the DPA allows retention of personal data
only for as long as necessary for the fulfillment of purposes for which the data was obtained or
for the establishment, exercise, or defense of legal claims, or for legitimate business purposes,
or as provided by law.6

Some of the factors that may be considered by a PIC in determining retention periods of
personal data include but are not limited to:

(1) legal requirements which the company may be subject to;

(2) applicable prescription periods in existing laws; and
(3) industry standards, and other laws and regulations that apply to the sector.7

Thus, both your company and the local electric cooperative are considered as PICs with respect
to the personal data of the customers. Both entities are therefore expected to be accountable for
the personal data it processes to the end that the data subjects are protected from harm and
other privacy risks.

Please be advised that the foregoing was rendered based solely on the information provided.
Any extraneous fact that may be subsequently furnished us may affect our present position.
Note that this communication is not intended to adjudicate the rights and obligations of the
parties involved.

5 Id. § 21.
6 Id. §11 (e)
7 National Privacy Commission, NPC Advisory Opinion No. 2017-24 (21 June 2017).

Ref No.: PRD-23-00190 NPC_PPO_PRD_AOT-V1.0,R0.0,05 May 2021

5th Floor, Philippine International Convention Center, Vicente Sotto Avenue, Pasay City, Metro Manila 1308
URL: https://www.privacy.gov.ph/ Email Add: info@privacy.gov.ph * Tel No. 8234-2228
3
Very truly yours,

(Sgd.)
FRANKLIN ANTHONY M. TABAQUIN, IV
Director IV, Privacy Policy Office

Ref No.: PRD-23-00190 NPC_PPO_PRD_AOT-V1.0,R0.0,05 May 2021

5th Floor, Philippine International Convention Center, Vicente Sotto Avenue, Pasay City, Metro Manila 1308
URL: https://www.privacy.gov.ph/ Email Add: info@privacy.gov.ph * Tel No. 8234-2228
4